On Wed, 2025-11-19 at 22:03 +0800, Coiby Xu wrote: > Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS) > is enabled, IMA has no way to verify the appended module signature as it > can't decompress the module. > > Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so > IMA can calculate the compressed kernel module data hash on > READING_MODULE_COMPRESSED and defer appraising/measuring it until on > READING_MODULE when the module has been decompressed. > > Before enabling in-kernel module decompression, a kernel module in > initramfs can still be loaded with ima_policy=secure_boot. So adjust the > kernel module rule in secure_boot policy to allow either an IMA > signature OR an appended signature i.e. to use > "appraise func=MODULE_CHECK appraise_type=imasig|modsig". > > Reported-by: Karel Srot <[email protected]> > Suggested-by: Mimi Zohar <[email protected]> > Suggested-by: Paul Moore <[email protected]> > Signed-off-by: Coiby Xu <[email protected]>
Thanks, Coiby! The patch is now queued in next-integrity. -- Mimi
